talk icon indicating copy to clipboard operation
talk copied to clipboard

Published 20 hours ago verified publisher icon coralproject

NPM audit shows lots of vulnerable used packages

Open jmijn opened this issue 3 years ago • 3 comments

I just installed the latest Talk release (6.16.1) on my local machine to see how to modify the code to make our own features/changes. During the npm install i already saw this message:

found 640 vulnerabilities (12 low, 408 moderate, 212 high, 8 critical) in 6909 scanned packages

Scanning through the mentioned critical issues, one stood out:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Arbitrary Code Execution in mathjs                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ mathjs                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.17.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ postcss-calc-function [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ postcss-calc-function > mathjs                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-pv8x-p9hq-j328            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Looks like Mathjs 2.7.0 is now pinned in the package-lock.json file.

What is the policy for Coral/Talk for these security issues? When will the packages be bumped to the patched versions?

jmijn avatar Dec 27 '21 10:12 jmijn

thanks for flagging, we're planning to audit our dependencies in january.

tessalt avatar Dec 27 '21 16:12 tessalt

@tessalt, any update on this? We are moving towards the end of february already ;)

jmijn avatar Feb 24 '22 09:02 jmijn

We're working on it in an upcoming sprint - thanks for checking in!

losowsky avatar Apr 06 '22 15:04 losowsky

Hi there! I was planning on contributing and I see there are still plenty of vulnerabilities, will there be updates soon?

KidesLeo avatar Sep 26 '22 14:09 KidesLeo

Hi there! We're planning on getting to this in our next sprint. Thanks for checking!

losowsky avatar Sep 26 '22 17:09 losowsky

thanks for flagging, we're planning to audit our dependencies in january.

Any news?

patrickdung avatar Jan 01 '23 15:01 patrickdung

High severity vulnerabilities have been addressed, https://github.com/coralproject/talk/pull/4079 many of the remaining vulnerabilities either do not impact coral or are in devDependencies

tessalt avatar Jan 23 '23 16:01 tessalt

Dependabot shows over 200 security alerts and the server subfolder gives over one hundred high/critical vulnerabilities with npm audit in v.8.5.3. Any plan on moving on these or Node upgrades?

rigperro avatar Oct 18 '23 07:10 rigperro